Privacy Policy
How we collect, use, and protect your personal information.
Last updated: 10 June 20261 Who We Are
Buy Local Lowveld is a community membership initiative promoting locally owned businesses in the Lowveld region of Mpumalanga, South Africa.
Mbombela, Mpumalanga, South Africa
Email: info@buylocallowveld.co.za
Website: buylocallowveld.co.za
References to "we", "us", or "our" in this policy mean Buy Local Lowveld and Elegant Work Group (Pty) Ltd acting as the responsible party for your personal information.
2 Scope of This Policy
This Privacy Policy applies to:
- Members — businesses that have registered or applied for a Buy Local Lowveld membership.
- Website visitors — anyone who browses buylocallowveld.co.za or our development site.
- Directory users — anyone who searches or views our business directory.
- Newsletter subscribers — anyone who has signed up to receive our email newsletter.
- Enquirers — anyone who contacts us via our contact form.
It does not apply to third-party websites linked from our site. Those sites have their own privacy policies.
3 Information We Collect
| Category | What we collect | How we collect it |
|---|---|---|
| Identity | First name, last name, business name | Membership registration form |
| Contact | Email address, phone number, physical address | Registration form, profile updates |
| Business details | Industry, business description, operating hours, logo, photos, website URL | Directory listing form |
| Account credentials | Email address, hashed password (never plain text) | Account creation |
| Payment & billing | Transaction amounts, invoice dates, PayFast transaction IDs. We do not store card numbers. | PayFast payment gateway notifications |
| Usage & analytics | Page views, listing views, search terms, device type. IP addresses are hashed and never stored in plain text. | Automatic collection on site visit |
| Communications | Emails you send us, notes in your member history, cancellation reasons | Contact form, member dashboard |
| Marketing preferences | Newsletter subscription status, email open/click data | Newsletter signup, Mailchimp |
We collect only the minimum information necessary for the purposes described in this policy.
4 How We Use Your Information
| Purpose | Information used |
|---|---|
| Create and manage your membership account | Identity, contact, credentials |
| Display your listing in the public directory | Business details, contact info (as you choose to publish) |
| Process payments and issue invoices | Identity, contact, billing data |
| Send transactional emails (payment confirmations, renewal reminders, account notices) | Identity, contact, billing data |
| Send our newsletter and marketing communications (with your consent) | Identity, contact, marketing preferences |
| Sync contact records to our accounting system (Zoho Books) | Identity, contact, billing data |
| Improve our website and directory | Usage analytics (anonymised/hashed) |
| Respond to enquiries and provide support | Identity, contact, communication records |
| Comply with legal obligations | Identity, billing data |
We will not use your personal information for any purpose that is incompatible with the purposes listed above without first obtaining your consent.
5 Legal Basis for Processing
Under POPIA, we process your personal information on one or more of the following grounds:
- Contract — processing is necessary to fulfil our membership agreement with you (e.g. managing your account, processing payments, displaying your listing).
- Legal obligation — processing is required by South African law (e.g. retaining invoice records for tax purposes).
- Legitimate interest — processing is necessary for our legitimate interests in operating and improving the Buy Local Lowveld platform, provided those interests are not overridden by your rights.
- Consent — where we rely on consent (e.g. sending marketing emails), you have the right to withdraw it at any time.
6 Who We Share Your Information With
We do not sell, rent, or trade your personal information. We share it only in the following circumstances:
- Service providers — we share data with trusted third-party processors (listed in Section 7) who help us operate our platform, strictly for that purpose.
- Legal requirements — we may disclose your information if required to do so by law, court order, or a regulatory authority in South Africa.
- Business transfer — if Buy Local Lowveld is transferred to a new operator, your information may be transferred as part of that transition. We will notify you before it happens.
- With your consent — we may share information for any other purpose with your prior written consent.
All third-party processors are contractually bound to handle your information securely and only for the purpose for which it was shared.
7 Third-Party Services We Use
| Service | Purpose | Data shared | Privacy policy |
|---|---|---|---|
| PayFast | Payment processing | Name, email, amount. Card details held by PayFast only. | payfast.co.za |
| Mailchimp | Email marketing & automations | Name, email, membership tier, business name | mailchimp.com |
| Zoho Books | Accounting & invoicing | Name, email, business name, billing address | zoho.com |
| Elegant Work Group | Platform development & hosting | All member data (as platform administrator) | elegantwork.co.za |
| Cloudflare | Web security & performance | IP addresses (processed transiently, not stored by us) | cloudflare.com |
Each of these processors is bound by their own privacy policies and applicable data protection law. Where processors are located outside South Africa (e.g. Mailchimp in the USA, Zoho in India), we rely on those processors' compliance with internationally recognised data protection standards.
8 Cookies & Tracking
Our website uses the following types of cookies and local storage:
- Session cookies — strictly necessary to keep you logged in to your member account. These expire when you close your browser.
- Security cookies — store a CSRF token to protect forms from cross-site request forgery. Strictly necessary.
- Analytics — we collect page views, listing views, and search terms using our own first-party analytics. IP addresses are hashed with a salt before storage; we never store raw IP addresses. No third-party tracking scripts (e.g. Google Analytics) are used on our core platform.
We do not use advertising or profiling cookies. You can disable cookies in your browser settings, but doing so will prevent you from logging in to your member account.
9 Data Retention
We retain your personal information for as long as necessary for the purposes for which it was collected, and in accordance with our legal obligations:
| Data type | Retention period |
|---|---|
| Active member account data | For the duration of your membership |
| Invoices and payment records | 5 years after the end of the tax year (SARS requirement) |
| Cancelled member records | 3 years after cancellation, then deleted or anonymised |
| Email communication logs | 2 years |
| Website analytics (hashed) | 2 years, rolling |
| Newsletter subscriber data | Until you unsubscribe + 1 year |
| Contact form enquiries | 2 years |
When data is no longer required, it is securely deleted or anonymised so that it can no longer be linked to an individual.
10 Your Rights Under POPIA
As a data subject under POPIA you have the following rights:
To exercise any of these rights, contact us at info@buylocallowveld.co.za. We will respond within 30 days. We may need to verify your identity before acting on a request.
You also have the right to lodge a complaint with the Information Regulator of South Africa if you believe we have not handled your personal information lawfully:
Email: inforeg@justice.gov.za
Complaints email: POPIAComplaints@inforeg.org.za
11 Security
We implement reasonable technical and organisational measures to protect your personal information against unauthorised access, loss, or misuse. These measures include:
- Passwords hashed using bcrypt (cost factor 12) — plain-text passwords are never stored.
- CSRF protection on all forms.
- Session ID regeneration on login to prevent session fixation attacks.
- Rate limiting on login, registration, and password reset endpoints.
- IP addresses stored only as salted hashes — never in plain text.
- Email account credentials encrypted at rest using AES encryption.
- Payment processing delegated entirely to PCI-DSS compliant PayFast — we never handle card numbers.
- HTTPS enforced across the entire platform via Cloudflare.
No method of transmission over the internet is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee its absolute security. In the event of a data breach that poses a risk to your rights and freedoms, we will notify you and the Information Regulator as required by POPIA.
12 Children
Our platform is not directed at children under the age of 18. We do not knowingly collect personal information from minors. Membership requires applicants to be at least 18 years of age. If you believe we have inadvertently collected information from a minor, please contact us at info@buylocallowveld.co.za and we will delete it promptly.
13 Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or in applicable law. When we make material changes, we will update the "Last updated" date at the top of this page and notify active members by email at least 14 days before the changes take effect.
We encourage you to review this policy periodically. Your continued use of our platform after any changes constitutes your acceptance of the updated policy.
14 Contact & Complaints
For any questions, requests, or concerns about this Privacy Policy or how we handle your personal information, please contact our Information Officer:
Website: buylocallowveld.co.za
Administered by: Elegant Work Group (Pty) Ltd, Mbombela, Mpumalanga, South Africa
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Regulator of South Africa (see Section 10).